As user devices such as NFC-enabled mobile phones and contactless cards continue to increase in popularity, maintaining the security of payment and other transactions continues to be a concern. For instance, in order to conduct a payment transaction, it is typically necessary to authenticate the user device. One method for authenticating a user device is through the use of a cryptogram generated by the device. A cryptogram may be an encrypted data element that can be validated for authenticity by a trusted entity, such as a payment network or other entity that authorizes a transaction (e.g., access to a document or a building). However, an attacker may attempt to eavesdrop on a transaction (e.g., by conducting man-in-the-middle attack). Thus, an attacker may attempt to intercept a cryptogram transmitted by the user. If determined, the cryptogram could be used for illicit purposes.
Further complicating matters is the security of the user device itself. In some cases, the user device may be compromised or otherwise untrustworthy, so that it would be inadvisable to store persistent secure credentials, such as a static cryptogram generation key on the device. Conducting a secure transaction in such circumstances may pose a challenge.
Embodiments of the present invention address these problems and other problems individually and collectively.